Is set a custom Access-Control-Expose-Headers needed?

according to this thread

https://www.tmssoftware.com/site/forum/forum_posts.asp?TID=11295&title=how-can-i-read-out-accesstoken-in-response-header

and my sample on github

i call a RemObjectsSDK HTTPApi Server from a TMS WebCore Webapplication

the problem:
i can’t read out the ‘Access-Token’ from login response
if i call getResponseHeader(‘Access-Token’) on the returned JS-response-object in Chrome,
i will get a “Refused to get unsafe header “Access-Token””

Means this, i need to add ‘Access-Token’ to the Access-Control-Expose-Headers on server side?
if yes, how can i do that?

i hope, you can understand my problem.

Hi,

you can try to add Access-Control-Expose-Headers header into TROHttpApiSimpleAuthenticationManager.WriteAuthenticationInfo method in uROHttpApiSimpleAuthenticationManager unit:

procedure TROHttpApiSimpleAuthenticationManager.WriteAuthenticationInfo(
  aResponse: IROHTTPResponse; aSessionInfo: TROHttpApiSession);
begin
  if Assigned(SessionManager) then begin
    if SessionManager.IsSessionPresent(aSessionInfo.SessionID) then begin
      aResponse.Headers[tag_Access_Token] := GUIDToString(aSessionInfo.SessionID);
       /// add header here
    end; 
  end;
end;

If this solves this issue, pls inform and we’ll modify RO sources.

You must return the Access-Control-Expose-Headers = Authorization so one must add:
aResponse.Headers['Access-Control-Expose-Headers'] := tag_Access_Token;

Yes, it solves the issue

is it enough to specify

aResponse.Headers['Access-Control-Expose-Headers'] := tag_Access_Token;

in TROHttpApiSimpleAuthenticationManager.WriteAuthenticationInfo or we should specify these fields at processing OPTIONS request?

At the moment it seems to be enough. I will continue to work on the demo project on GitHub. I do not know yet what to expect.

Thanks, logged as bugs://80996

Thanks, logged as bugs://80997

bugs://80997 got closed with status fixed.

bugs://80996 got closed with status fixed.